The --verify-database requires that the policy under which a file is checked is stored in the baseline database. (Note that this affects only this command. For the normal file system monitoring, the checking policy is taken from the configuratiion file, not from the baseline database.) For this reason, the format of the baseline database has changed in samhain 4.0. However, it is possible that the information about the check policy becomes incorrect:
- Added files
- If files are added to the filesystem after baseline initialisation and reported by the client, the correct policy should be set. To ensure this, the option ReportCheckflags = yes should be set in the client configuration (for backward compatibility, this option is off by default.)
- Merging a DeltaDB
- The DeltaDB is generated with the policy set to ReadOnly, to collect a complete set of checksum and metadata. However, if the actual policy should be less restrictive because some of that data is allowed to change, a later --verify-database may result in spurious failures.
- Client configuration change
- If the configuration file for the client is changed to alter the checking policy for the monitored files, it is recommended to re-initialize the baseline.